The world of digital, modern IT today is not built for basement computer centers. FedRAMP, or Federal Risk and Authorization Management Program, enables government agencies to move from outdated systems to secure, cloud-based IT.
And Maria Horton, the founder and CEO at EmeSec, a federal contractor that specializes in solutions and services that deliver cloud security, compliance and engineering, knows all there is to know about the FedRAMP process. As an accredited FedRAMP Third Party Assessment Organization (3PAO), EmeSec advises Cloud Service Providers (CSP) on the design and preparation of their application for the FedRAMP certification. The company also fulfills the initial and periodic checks of cloud services that have applied for the program.
Holding government data is not taken lightly, which is why the accreditation process as well as maintaining the necessary level of compliance is a long journey. But, Maria says, it’s worth the time and costs.
“To me, FedRAMP is a strategy into the marketplace. It is an ongoing process. You can’t just get in, get certified and drop it. You actually have to be thinking FedRAMP while you’re managing and operating your cloud solution,” she says in an interview for Government Enabled, EconSys new podcast.
What is FedRAMP?
FedRAMP assesses, authorizes and monitors the security of cloud services in a standardized way for government agencies.
It involves a strict assessment of the design of a system to make sure it meets certain standards. This involves a lot of documentation as well, to prove compliance requirements. And these two steps make up the first part of the process.
“We spend a lot of time talking to those potential customers about what’s involved in the testing because to accomplish it, you not only have to prove the design through technical testing, you have to prove the paperwork is there, so the government and the end-users can understand how the system works,” says Maria.
Once FedRAMP authorization is received, the journey doesn’t end there. A CSP will proceed with what is called ConMon, or continuous monitoring. This is a crucial part of the process, proving that you remain in compliance.
Continuous monitoring looks for ways to fix any potential vulnerabilities that may arise following authorization. This also includes annual tests and reporting to the Program Management Office, which is responsible for the development of the FedRAMP program and day-to-day operations.
“If you get in and you get FedRAMP certified, but you don’t pay any attention to the requirements three months later, you could find yourself out of the program,” says Maria.
The rigorous program, however, has its benefits: many government agencies won’t consider working with a provider unless they are FedRAMP certified, and once certified, a CSP has proof that their services are sound and secure, giving them access to a whole spectrum of opportunities in the federal marketplace.
Getting started on the FedRAMP journey
The process of achieving FedRAMP certification for cloud service providers wanting to work with government agencies is a marathon — not a sprint.
“You have to look at it from a journey perspective. If you don’t look at it from a journey perspective, it can seem very overwhelming. And you may end up not having enough time on your journey to accomplish the things you want to do successfully within the FedRAMP federal marketplace,” Maria points out.
The certification is just the beginning. Once a company is approved, the continuous monitoring is an ongoing process that requires monthly and annual checks and reporting to make sure they remain in compliance.
Maria says the best way to approach FedRAMP is top-down. A CSP will need resources, people and money. Because multiple organizations and agencies examine a system, including the FedRAMP Program Management Office, the Joint Advisory Board and agencies, it’s important to build a culture of security.
Maria advises following the many public resources available on fedramp.gov, which includes templates and guidelines for the process and also suggests integrating readily-available pieces.
“Don’t reinvent the wheel. A lot of folks are very proud of their development skills or unique skills that they have within a business. Instead of using some of the things that are available to them, they want to showcase their skill sets. Sometimes you can in today’s world use already available cloud pieces and integrate them into your unique offering. That might be a shorter way on the journey instead of building it yourself,” she says.
The role of 3PAO partners
Maria’s company has built this expertise through experience as a 3PAO, or Third Party Assessment Organization. They were one of the first selected to serve as 3PAOs for the FedRAMP program.
Under the FedRAMP PMO guidelines, 3PAOs can serve two purposes: they can advise a client on the design and preparation of applying for the certification, or they can serve as the assessment organization that carries out the various testing and provides objective answers to the company and to the PMO.
The whole process is based on trust and transparency, and the various checks and parties involved are stepping stones in a complex system. Clarity is essential for both the companies seeking to provide services to government agencies and for the agencies looking for private industry solutions.
“There are a lot of layers. It’s not necessarily overly complicated, but it does take into account both enterprise and local. And so sometimes it takes a lot of explanation,” says Maria. “And so I encourage many of my customers not to feel overwhelmed, but to look at what they want to accomplish with FedRAMP or with their cloud solution.”
A fully configurable Federal HR solution that meets your agency’s unique Human Resources requirements.